APRA’s AI Directive

Government #2
Jun 11 , 2026
| Greg Spencer
AI Governance Board Advisory

APRA's AI Letter: A Regulator's Signal Every Australian Board Should Read

Independent perspective on what the regulator's call for a step-change really means: for APRA-regulated entities and everyone else.

Beyond Technology Consulting June 2026 5 minute read

On 30 April, the Australian Prudential Regulation Authority wrote to its regulated industries (banks, insurers and superannuation trustees) calling for what it described as a step-change in how they manage AI-related risk. The letter is the most prescriptive AI-specific intervention APRA has made, and follows a targeted supervisory review conducted across all of its regulated industries late last year.

If your organisation is not directly regulated by APRA, it would be easy to file this away as someone else's problem. That would be a mistake. APRA's letter is, in effect, a regulator showing its working: telling the rest of the market what it considers the minimum standard for governing AI in serious organisations. Boards that ignore that signal are choosing to learn the same lessons later, at greater cost.

What APRA actually said

The headline finding is uncomfortable: governance, risk management, assurance and operational resilience practices across the regulated industries are not keeping pace with the speed, scale and complexity of AI adoption. Three observations stand out.

First, AI risk cuts across multiple domains, spanning operational resilience, cyber and information security, data governance, model risk, change control, privacy, conduct, procurement and third-party dependency, and existing change and assurance approaches are too fragmented to manage it. Continuous validation and monitoring is not consistently in place to detect model drift, bias, failure modes or control breakdowns in a timely manner.

Second, boards are engaged with the upside of AI (productivity, efficiency, customer experience) but many directors are still developing the technical literacy required to challenge management effectively on the downside.

Third, the AI supply chain is becoming a blind spot. Embedded AI features inside existing platforms, third- and fourth-party dependencies, and rapidly evolving vendor offerings are reducing transparency at precisely the moment risk is increasing.

APRA organised its expectations around four observation areas: governance, third-party supplier risk, cyber and information security, and change management and assurance. The common thread is consistency: frameworks, ownership and accountability that span the full AI lifecycle, from design through deployment to decommissioning, supported by a current inventory of AI tooling and use cases.

Why this matters beyond regulated entities

Australian regulators tend to move in formation. The Privacy Act reforms, the AI Ethics Principles, the voluntary AI Safety Standard and now APRA's letter are converging on a common expectation: boards are accountable for the AI being used in their organisations, whether they built it, bought it, or inherited it inside a SaaS platform. For any board with a meaningful AI footprint, the practical implications are the same:

  • Existing risk frameworks were not designed for AI. Bolting AI risk onto a model risk policy, a cyber policy or a procurement policy in isolation is exactly the fragmented approach APRA called out. AI risk needs to be addressed as a cross-domain discipline, with clear ownership end-to-end.
  • Governance has to move at the pace of deployment. AI use cases are proliferating inside organisations faster than most governance forums meet. If your AI inventory does not exist, or is six months out of date, the board has no realistic line of sight.
  • Third-party AI is now a first-order risk. Most organisations are not building models; they are consuming AI capabilities embedded in existing platforms or accessed via APIs. Contracts, audit rights and assurance arrangements need to catch up with that reality.
  • Director literacy is part of the control environment. APRA's observation that boards lack the technical literacy to challenge management effectively is a serious one. Independent, conflict-free advice, not only from the vendors selling the technology, is increasingly part of how directors discharge their duties.

What good looks like

The organisations getting ahead of this are doing four things at once. They are treating AI governance as a board-level agenda item with regular reporting on AI risks, not just AI opportunities. They are maintaining a live inventory of AI use cases, including embedded AI in third-party tools, owned by an accountable executive. They are aligning AI risk to their existing operational resilience, cyber and model risk frameworks rather than creating a parallel structure that no one quite owns. And they are investing in the technical literacy of directors and senior leaders so that challenge in the boardroom is informed, sceptical and useful.

None of this requires reinventing the organisation's risk approach. It does require the integrated, end-to-end view that APRA found missing.

A closing thought

APRA's letter is worth reading in full, regardless of whether you are directly regulated by it. It is one of the clearest articulations available of what a competent regulator now expects of a competent board on AI. The bar has shifted. The question for directors is not whether to respond, but how quickly and how credibly.

Further reading

Where this leads

How boards act on this

AI Readiness Assessment

A vendor-neutral picture of your AI use, exposure and governance gaps, mapped against current regulatory expectations.

Explore the assessment

Annual Cyber Security Health Check

Independent assurance over the cyber and information security controls APRA expects AI governance to rest on.

Explore the health check

Fractional CIO Subscription

Partner-level technology leadership in the room when the board needs informed, conflict-free challenge.

Explore Fractional CIO
Ready to talk?

Independent perspective. One conversation away.

A 30-minute conversation with a partner is the simplest way to see where your organisation stands against the expectations regulators are now setting. No pitch, no sales process - just a senior view of where you are and where the priorities should sit.

Speak with a consultant See our work
Greg Spencer
accordian pattern

Does your IT lack direction?

Speak with a consultant today